diff --git a/nixos/machines/hera/network.nix b/nixos/machines/hera/network.nix index 740221a7..2a1f3413 100644 --- a/nixos/machines/hera/network.nix +++ b/nixos/machines/hera/network.nix @@ -10,8 +10,35 @@ in { m-0.tailscale-routes = "fd42:ccc:da:64::/64,172.20.64.0/24"; networking = { nftables.ruleset = '' - table ip nixos-nat { chain post { iifname tailscale0 oifname tinc.cdark.net masquerade comment "snat queries to hackspace";};} - table ip6 nixos-nat { chain post { iifname tailscale0 oifname tinc.cdark.net masquerade comment "snat queries to hackspace";};} + table ip nixos-nat { + chain pre { + type nat hook prerouting priority dstnat; policy accept; + } + + chain post { + type nat hook postrouting priority srcnat; policy accept; + iifname "bridge" oifname "ens18" masquerade comment "from internal interfaces" + iifname "tailscale0" oifname "tinc.cdark.net" masquerade comment "snat queries to hackspace" + } + + chain out { + type nat hook output priority mangle; policy accept; + } + } + table ip6 nixos-nat { + chain pre { + type nat hook prerouting priority dstnat; policy accept; + } + + chain post { + type nat hook postrouting priority srcnat; policy accept; + iifname "tailscale0" oifname "tinc.cdark.net" masquerade comment "snat queries to hackspace" + } + + chain out { + type nat hook output priority mangle; policy accept; + } + } ''; hostName = "hera"; domain = "m-0.eu"; @@ -52,12 +79,12 @@ in { } ]; }; - nat = { - enable = true; - enableIPv6 = true; - externalInterface = "ens18"; - internalInterfaces = ["bridge"]; - }; + #nat = { + # enable = true; + # enableIPv6 = true; + # externalInterface = "ens18"; + # internalInterfaces = ["bridge"]; + #}; nameservers = ["213.136.95.10" "2a02:c207::1:53" "2a02:c207::2:53"]; firewall.allowedTCPPorts = [8666]; #firewall.allowedUDPPorts = [wireguard.port];